Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

subscriber (DDoS Flow Detection)

Syntax

Hierarchy Level

Description

(MX Series routers with only MPCs, T4000 Core Routers with only FPC5s, or EX9200 switches) Configure flow bandwidth, flow control mode, or flow detection mode at the subscriber flow aggregation level for the packet type.

Options

flow-bandwidth—Specify the bandwidth for the flow at the subscriber level. Available only at the [edit system ddos-protection protocols protocol-group packet-type flow-level-bandwidth] hierarchy level.

  • Default: 100 packets per second

  • Range: 1 through 10,000 packets per second

flow-control-mode—Specify how traffic in the detected flow is controlled at the subscriber level. Available only at the [edit system ddos-protection protocols protocol-group packet-type flow-level-control] hierarchy level.

Note:

The configuration at this level overrides the global configuration using the flow-level-control statement at the [edit system ddos-protection global] hierarchy level.

  • drop—Drop all traffic in flow.

  • keep—Keep all traffic in flow.

  • police—Police the traffic to within its allowed bandwidth.

  • Default: drop

flow-detection-mode—Specify how flow detection operates at the subscriber level when a policer has been violated. Available only at the [edit system ddos-protection protocols protocol-group packet-type flow-level-detection] hierarchy level.

Note:

The configuration at this level overrides the global configuration using the flow-detection-mode statement at the [edit system ddos-protection global] hierarchy level.

  • automatic—Search flows at the subscriber level only when a DDoS policer is being violated and only until it is established that the flow causing the violation is not at this level. When the suspicious flow is not at this level, then the search moves to a coarser level of flow aggregation (logical interface). Flows at the subscriber level are subsequently not searched again until the policer is no longer violated at the coarser level.

  • off—Disable flow detection at the subscriber level so that flows are never searched at this level.

  • on—Search flows at the subscriber level, even when no DDoS protection policer is currently being violated. Monitoring continues at this level regardless of whether a suspect flow is identified at this level.

  • Default: automatic

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 12.3.

Support for Enhanced Subscriber Management added in Junos OS Release 17.3R1.